Sunday, July 31, 2011

Pastebin Security Risks: Monitoring with Rollyo Searchrolls

Although text-sharing “pastebin” sites like pastebin.com and codepad.org have been around for the better part of a decade, I have to admit that I'd never heard of them until LulzSec adopted pastebin.com as its preferred method of shaming its victims. In an article on The Next Web, Matt Brian explores how pastebin.com, once relatively unknown outside the ranks of developers, wound up groaning under the weight of LulzSec's unexpected, and unwelcome, information dumps.

LulzSec gets the headlines, but many publicity-shy individuals and groups also use pastebins for illicit activities such as sharing confidential data, offering PII for sale, trading exploits, and revealing personal information on underground rivals. As Matt Brian notes, a quick look at pastebin.com's “Trending Pastes” shows that a majority of the most popular individual pastes are dumps of breached data, cracked passwords, or other illegitimate content. And Silas Cutler at ReverSecurity points to keylogger dumps and carder profiles among the tens of thousands of daily posts to these sites.

For the information security manager concerned about pastebins, I think there are six general types of risks to be on the lookout for:

Breach dumps: An attacker may breach an organization's data and post it on a pastebin site to embarrass the victim (e.g., LulzSec).

Seller Information: Instead of merely embarrassing a victim, the attacker might offer his or her breached data for sale, posting a description of the data and a few samples to attract buyers (e.g., http://pastebin.com/0gWUMzeJ).

Accidental Oversharing: Developers or administrators inside an organization, using pastebin for its original purpose of legitimate collaboration, might unintentionally post revealing data such as internal network information, hard-coded passwords nestled inside misbehaving scripts, vulnerable server configurations, etc. This type of oversharing can be valuable during the reconnaissance phase of attacks, as Lenny Zeltser discusses here.

Keyloggers: Some keyloggers, attempting to circumvent outbound data filters, send their key captures to pastebins, where the attacker can harvest them. On the FusionX Blog, Bryan Halfpap describes one example of this, the CyberShark/Zero Edition Trojan.

Defamation: The anonymous and unmoderated nature of pastebin sites makes them a good place for business rivals, unhappy customers, or disgruntled employees to post critical information about your organization without regard for its truthfulness. A motivated individual could post harmful information multiple times, to multiple pastebins, as a kind of easy SEO attack.

Attack Preparation: Although attackers are certainly more likely to plan attacks via private channels such as email, IRC, and restricted forums, there is the possibility that information regarding upcoming attacks will find its way to pastebins. As Silas Cutler points out, IRC chat logs are often posted on pastebins; there is also the possibility that an amorphous group like Anonymous or LulzSec will use a pastebin to communicate quickly with multiple individuals located across the globe.

As an information security practitioner, then, you might want to keep an eye on the various pastebin sites for mentions of your organization's domain names, IP addresses, proprietary application names, or other information that could be evidence of one of the problems listed above. You might also want to watch for the names of key staff members. There is probably, for example, no good reason for your CEO's name to turn up in a pastebin post. Similarly, if the name of your organization's still-secret new product is being bandied about on a pastebin, there is probably cause for concern.

Unfortunately, keeping an eye on all the pastebins on the internet is difficult. There are a lot of them, they come and go quickly, and many of them are not indexed by search engines. Wikipedia has a good list of pastebins here, but there is no reason to believe that this list of 40-odd sites is all-inclusive.

Silas Cutler has developed a tool for scraping and searching pastes from some sites, although he admits that there are some drawbacks to this approach, including the fact that pastebin administrators typically don't like people scraping their sites and take steps to prevent it. Andrew MacPherson has developed a Pastebin Parser that uses the Yahoo Search API to search five popular pastebins, although at the time of writing it appears not to be functioning.

One approach that could complement Cutler's and MacPherson's tools is to use an existing search engine, limited to searching only the pastebin sites listed on the Wikipedia page. To be sure, the Wikipedia list might be incomplete, many pastebins on that list might not be indexed, and search engine indexing will lag post time, perhaps significantly. But with those caveats in mind, I think it can still be productive to use a custom search tool to monitor pastebins for terms that raise concern.

Google offers a Custom Search Engine that purports to give the user the ability to specify a long list of sites to search at one time. However, in my testing, I got unexpected results when I added more than about 10 sites to my search list. After playing with the Custom Search Engine for several hours, I lost confidence in its results. I ran into a few other bugs as well, including a perplexing issue where the tool thought I had exceeded the allowed number of sites to search, even after I had deleted all my custom search engines and started over from scratch. As far as I can tell, Google's Custom Search Engine is no longer maintained by the search giant.

However, I stumbled across an alternative to Google's Custom Search Engine in Rollyo, an interesting site that allows users to create and share custom site searches. Rollyo calls its custom searches “searchrolls”. Each searchroll is limited to 25 sites, but the results seem to be reliable.

To get in under Rollyo's 25-site limit, I broke the list of pastebins from Wikipedia into two groups and created two searchrolls. You can see them here and here. Using these two searchrolls, you can see if anything of concern to your organization has turned up on the best-known pastebin sites (as long as Yahoo—the search engine Rollyo is built on—has indexed it). With some well-chosen search terms and trial and error, you should be able to come up with a couple of quick searches that will turn up worrisome pastes.

Using searchrolls such as this could become part of routine monitoring. Once you build the searchrolls you think are appropriate for your organization, someone can find a few minutes in their morning to run a couple of quick searches and report any concerning findings to the right people. Searchrolls alone are severely limited, of course, But combined with other tools and monitoring approaches, the use of custom search tools such as Rollyo can help an organization detect and prevent security problems as quickly as possible.

About Me

Thanks for visiting my blog. I'm an information security analyst and computer forensic examiner with experience in a variety of industries. I hold the CISSP, CISM, C|EH, CCE, and C|HFI certifications and an MBA. I live and work in Columbia, MO.